From 9c6c7576b78a372c0cce949f429d3dff6434166c Mon Sep 17 00:00:00 2001 From: papertager <2567587994@qq.com> Date: Tue, 9 Jun 2026 21:44:55 +0800 Subject: [PATCH 1/2] Add mx-exporter Kubernetes image audit --- tests/test_audit_k8s_images.py | 24 +++++++++++++++ tools/audit_k8s_images.py | 55 ++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 tests/test_audit_k8s_images.py create mode 100644 tools/audit_k8s_images.py diff --git a/tests/test_audit_k8s_images.py b/tests/test_audit_k8s_images.py new file mode 100644 index 0000000..18a7532 --- /dev/null +++ b/tests/test_audit_k8s_images.py @@ -0,0 +1,24 @@ +import tempfile +import unittest +from pathlib import Path + +from tools.audit_k8s_images import audit + + +class AuditK8sImagesTest(unittest.TestCase): + def test_detects_inconsistent_exporter_images(self): + with tempfile.TemporaryDirectory() as tmpdir: + root = Path(tmpdir) + deploy = root / "deployment" / "mx-exporter" + deploy.mkdir(parents=True) + (deploy / "a.yaml").write_text("image: repo/mx-exporter:v1\n", encoding="utf-8") + (deploy / "b.yaml").write_text("image: repo/mx-exporter:v2\n", encoding="utf-8") + + report = audit(root) + + self.assertEqual(report["mx_exporter_image_count"], 2) + self.assertIs(report["mx_exporter_image_consistent"], False) + + +if __name__ == "__main__": + unittest.main() diff --git a/tools/audit_k8s_images.py b/tools/audit_k8s_images.py new file mode 100644 index 0000000..cf56c8d --- /dev/null +++ b/tools/audit_k8s_images.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +"""Audit Kubernetes and Helm manifests for mx-exporter image references.""" + +from __future__ import annotations + +import argparse +import json +import re +from pathlib import Path + + +IMAGE_RE = re.compile(r"^\s*image:\s*['\"]?([^'\"\s]+)", re.MULTILINE) + + +def collect_images(root: Path) -> list[dict[str, str]]: + images: list[dict[str, str]] = [] + for path in sorted((root / "deployment").rglob("*")): + if path.suffix not in {".yaml", ".yml"}: + continue + text = path.read_text(encoding="utf-8", errors="replace") + for match in IMAGE_RE.finditer(text): + images.append({"path": path.relative_to(root).as_posix(), "image": match.group(1)}) + return images + + +def audit(root: Path) -> dict[str, object]: + images = collect_images(root) + exporter_images = sorted({item["image"] for item in images if "exporter" in item["path"].lower()}) + return { + "image_count": len(images), + "images": images, + "mx_exporter_images": exporter_images, + "mx_exporter_image_count": len(exporter_images), + "mx_exporter_image_consistent": len(exporter_images) <= 1, + } + + +def main() -> int: + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument("--root", type=Path, default=Path.cwd(), help="repository root") + parser.add_argument("--strict", action="store_true", help="return non-zero when mx-exporter images differ") + parser.add_argument("--output", type=Path, help="write audit JSON to this path") + args = parser.parse_args() + + payload = audit(args.root) + text = json.dumps(payload, indent=2, ensure_ascii=False) + if args.output: + args.output.write_text(text + "\n", encoding="utf-8") + else: + print(text) + return 1 if args.strict and not payload["mx_exporter_image_consistent"] else 0 + + +if __name__ == "__main__": + raise SystemExit(main()) From 24cd7eac21132eff2dc44ca1967e7772c80ff14e Mon Sep 17 00:00:00 2001 From: papertager <2567587994@qq.com> Date: Thu, 11 Jun 2026 00:20:39 +0800 Subject: [PATCH 2/2] Harden mx-exporter image audit --- tests/test_audit_k8s_images.py | 17 +++++++++++++++++ tools/audit_k8s_images.py | 12 +++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/tests/test_audit_k8s_images.py b/tests/test_audit_k8s_images.py index 18a7532..12fb0fe 100644 --- a/tests/test_audit_k8s_images.py +++ b/tests/test_audit_k8s_images.py @@ -19,6 +19,23 @@ def test_detects_inconsistent_exporter_images(self): self.assertEqual(report["mx_exporter_image_count"], 2) self.assertIs(report["mx_exporter_image_consistent"], False) + def test_preserves_quoted_helm_template_images(self): + with tempfile.TemporaryDirectory() as tmpdir: + root = Path(tmpdir) + deploy = root / "deployment" / "mx-exporter" + deploy.mkdir(parents=True) + (deploy / "values.yaml").write_text( + 'image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"\n', + encoding="utf-8", + ) + + report = audit(root) + + self.assertEqual( + report["mx_exporter_images"], + ["{{ .Values.image.repository }}:{{ .Values.image.tag }}"], + ) + if __name__ == "__main__": unittest.main() diff --git a/tools/audit_k8s_images.py b/tools/audit_k8s_images.py index cf56c8d..5d54fa2 100644 --- a/tools/audit_k8s_images.py +++ b/tools/audit_k8s_images.py @@ -9,14 +9,20 @@ from pathlib import Path -IMAGE_RE = re.compile(r"^\s*image:\s*['\"]?([^'\"\s]+)", re.MULTILINE) +IMAGE_RE = re.compile(r"^\s*image:\s*['\"]?([^'\"\n]+?)['\"]?\s*(?:#.*)?$", re.MULTILINE) def collect_images(root: Path) -> list[dict[str, str]]: images: list[dict[str, str]] = [] - for path in sorted((root / "deployment").rglob("*")): + deploy_dir = root / "deployment" + if not deploy_dir.is_dir(): + return images + + for path in sorted(deploy_dir.rglob("*")): if path.suffix not in {".yaml", ".yml"}: continue + if not path.is_file(): + continue text = path.read_text(encoding="utf-8", errors="replace") for match in IMAGE_RE.finditer(text): images.append({"path": path.relative_to(root).as_posix(), "image": match.group(1)}) @@ -25,7 +31,7 @@ def collect_images(root: Path) -> list[dict[str, str]]: def audit(root: Path) -> dict[str, object]: images = collect_images(root) - exporter_images = sorted({item["image"] for item in images if "exporter" in item["path"].lower()}) + exporter_images = sorted({item["image"] for item in images if "mx-exporter" in item["path"].lower()}) return { "image_count": len(images), "images": images,